Apple's Mountain Lion to offer automatic security updates

Apple is building in automatic update checking into the next version of Mac OS X – Mountain Lion.

OS X 10.8 Mountain Lion can be configured to automatically poll for security updates every day instead of waiting for users to check for them, which describes the current set-up, AppleInsider reports.

Alternatively, Mountain Lion can be set up to phone home for updates every time a computer is restarted. In either case, users can select to automatically apply available security updates.

"Of course, most days it is unlikely that Apple will have released a security update - but for those times when they have, this feature will hopefully reduce the window of opportunity for malicious hackers to exploit any vulnerabilities in OS X," notes Graham Cluley, senior technology consultant at net security firm Sophos.

The automatic update feature appeared alongside the latest build of Mountain Lion Developer Preview, where it is known as "OS X Security Update Test 1.0" and available through the Mac App Store.

In addition, the latest laptops from Apple will come with a "PowerNap" feature, allowing security updates to be downloaded while the rest of the computer is in sleep mode.

Both features will help ensure that more Macs are kept more up-to-date. Whether or not they remain secure will still depend on the timely publication of security updates from Apple, an issue highlighted by the infamous Flashback Trojan. Flashback exploited a Java vulnerability to infect 600,000 Macs worldwide. The malware exploited a cross-platform flaw in Java that was patched on Windows machines weeks before creating mayhem on Macs. But Apple took much longer to respond, eventually belatedly responding with Java updates and clean-up tools.

Chastened by the experience, Apple is reportedly making security improvements a key feature in Mountain Lion, which is due to debut in mid-July. Other changes in the pipeline may include mandating secure connection to Apple's update servers. Earlier this month it emerged that the Flame cyber-espionage tool had used a "man-in-the-middle" attack against the Windows update system. If Apple introduces security updates over SSL connections then it will move ahead of the game in thwarting this type of attack.

It's unclear to what extent Apple will retro-fit these various security improvements into previous versions of Mac OS X.

In a related moved, Apple recently removed assertions that the Mac "doesn't get PC viruses" in favour of the less strident statement that its computers are "built to be safe".

The increased popularity of Macs in business Apple will need to develop tools (or at least settings) to make patching more manageable in corporate environments.

"In business environments the concept of automatic, silent updates to the Mac operating system may be less popular," Cluley explained. "Often organisations prefer to test a security update before rolling it out across a large number of computers, in case there are bugs or conflicts.

"Furthermore, companies may not like the idea of lots of their Mac computers individually pulling down hefty security updates and gobbling up their internet bandwidth. Presumably Apple will provide mechanisms for businesses to handle these issues when OS X ships next month," he concluded. ®